Getting Ahead of the GDPR “Search” Issue

In just over one year, new data protection regulations will go into effect for all companies doing business with customers in the European Union (EU). The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and sets new guidelines for how customer data should be handled, including regulations around data portability, deleting unneeded information, and informing consumers in the event of a data breach—among other stipulations.

Druva’s Founder and CEO Jaspreet Singh sat down with the team at IDG Connect to provide them with his thoughts on some of the challenges that companies will face as they start to make plans to address GDPR. According to Singh, protecting consumer data is “a critical data management issue,” which is something that the instituting of the new GDPR will be bringing to the forefront over the next year. Singh notes that “the majority of storage vendors are still stuck in hardware and software” and indicates that the future of secure data storage and management lies in the cloud.

In order to get ready for the GDPR, it’s important that companies recognize what the regulations stipulate, and how that will affect their data strategy moving forward. Key provisions of the GDPR include:

Scope: Under the new regulation, the definition of “personal data” is being expanded. Any single piece of information connected to an individual (including IP addresses and mobile device IDs) even on its own, without any other identifiable data, will need to be protected in accordance with the regulation. Additionally, the new regulations specifically mention “encryption” and “psuedo-randomization—data that has been anonymized through technological means—as personal data under the GDPR. “Biometric” and “genetic” data also get specific definitions under the GDPR as sensitive personal data, as well as enhanced protection.

Consent: The GDPR also introduces new rules about obtaining consent. Under the new regulation, consumers have to give active consent in an opt-in process. This precludes the use of pre-ticked boxes on forms, or procedures that require people to opt-out. Additionally, records will need to be kept indicating when and how consent was given, and procedures need to be created so that individuals are able to withdraw consent at any time.

Access: Once the GDPR takes effect, individuals will also have easy access to all the data that a company stores about them. That also requires any companies that store or process that data to be transparent about what data they collect or handle, what they do with that data, and offer processes for individuals to make any necessary corrections. In general, individuals can request their data “at reasonable intervals” and should receive responses within one month.

Erasure: Along with the ability to withdraw consent for data to be collected, the GDPR grants individuals “the right to be forgotten.” If the collected data is no longer needed, or a person withdraws their consent, companies must delete their collected data, and bear the responsibility for making sure that request is honored by other entities down the data processing chain.

Portability: In addition to being accessible, data must be available in common formats. This would allow an individual to take all their personal data with them when moving from one service provider to another.

Breaches: While they are increasingly common, data breaches are treated seriously under the GDPR, which lays out specific procedures for alerting government agencies and individuals when their private data has been compromised. The GDPR requires notification “without undue delay” after discovery of the breach, no later than 72 hoursafter becoming aware of it, and a company could be subject to fines if the notification deadline is not strictly met.

IT departments should be preparing for GDPR, because in addition to clear standards around data management and security, the regulations require businesses to prove compliance. There’s a punitive component as well; businesses that don’t comply could find themselves sanctioned with fines of up to four percent of turnover. Thus, non-compliance could be a costly mistake for any businesses in the EU or who does businesses with EU-based customers.

Singh predicts that the transition to GDPR won’t be a smooth one for all companies, adding that, “the first fines will be on gross negligence.” Singh indicated that many firms should be looking for cloud-based data solutions, which should be quicker to adapt to the new regulations, including being compliant with the GDPR from day one when the regulations go into effect next year.